fix(jruby): SAX parser uses an entity resolver

to avoid XXE injections. This behavior now matches the CRuby implementation.
sparklemotion · Sep 26, 2021 · 4bd943c · 4bd943c
1 parent f943ee4
commit 4bd943c
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/ext/java/nokogiri/XmlSaxParserContext.java b/ext/java/nokogiri/XmlSaxParserContext.java
@@ -225,6 +225,7 @@ public class XmlSaxParserContext extends ParserContext
     preParse(runtime, handlerRuby, handler);
     parser.setContentHandler(handler);
     parser.setErrorHandler(handler);
+    parser.setEntityResolver(new NokogiriEntityResolver(runtime, errorHandler, options));
 
     try {
       parser.setProperty("http://xml.org/sax/properties/lexical-handler", handler);

diff --git a/test/xml/sax/test_parser.rb b/test/xml/sax/test_parser.rb
@@ -426,5 +426,38 @@ def call_parse_io_with_encoding(encoding)
 
       assert_predicate(handler.errors, :empty?)
     end
+
+    it "does not resolve entities by default" do
+      xml = <<~EOF
+        <?xml version="1.0" encoding="UTF-8"?>
+        <!DOCTYPE doc [
+          <!ENTITY local SYSTEM "file:///#{File.expand_path(__FILE__)}">
+          <!ENTITY custom "resolved>
+        ]>
+        <doc><foo>&local;</foo><foo>&custom;</foo></doc>
+      EOF
+
+      doc = Doc.new
+      parser = Nokogiri::XML::SAX::Parser.new(doc)
+      parser.parse(xml)
+
+      assert_nil(doc.data)
+    end
+
+    it "does not resolve network external entities by default" do
+      xml = <<~EOF
+        <?xml version="1.0" encoding="UTF-8"?>
+        <!DOCTYPE doc [
+          <!ENTITY remote SYSTEM "http://0.0.0.0:8080/evil.dtd">
+        ]>
+        <doc><foo>&remote;</foo></doc>
+      EOF
+
+      doc = Doc.new
+      parser = Nokogiri::XML::SAX::Parser.new(doc)
+      parser.parse(xml)
+
+      assert_nil(doc.data)
+    end
   end
 end